CVE-2020-2162

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.227 and earlier Jenkins LTS versions 2.204.5 and earlier

Description The issue is related to the absence of HTTP Content-Security-Policy headers for files uploaded as file parameters to a build. This results in a stored cross-site scripting (XSS) vulnerability, which can be exploited by users with permissions to build a job with file parameters, allowing remote attackers to perform cross-site scripting attacks.

Recommendations For Jenkins versions 2.227 and earlier, update to a version that sets Content-Security-Policy HTTP headers when serving files uploaded via a file parameter. For Jenkins LTS versions 2.204.5 and earlier, update to a version that sets Content-Security-Policy HTTP headers when serving files uploaded via a file parameter. As a temporary workaround, consider setting the system property hudson.model.DirectoryBrowserSupport.CSP to override the value of Content-Security-Policy headers sent when serving these files.